On March 15, 2017, New Mexico's Senate passed H.B. 15, which would create the state's first data breach notification law. New Mexico is currently one of only three states (including Alabama and South Dakota) without a data breach notification law. The bill passed New Mexico's House in February and will now be sent to the governor to sign into law.

If signed, the bill would require companies that own or license data containing the personal identifying information ("PII") of New Mexico residents to notify those residents whose PII the company reasonably believes was subject to a security breach within 45 calendar days of discovering the breach. The company also would have to notify the New Mexico attorney general and consumer reporting agencies within 45 calendar days if more than 1,000 residents are affected in a single security breach. The bill would not require notification if there is no significant risk of identity theft or fraud.

Consistent with a growing number of states that now include biometric data within state law definitions of PII, the bill defines PII as unencrypted data containing the individual's name in combination with a social security number, driver's license number, government-issued identification number, account number, credit or debit card number, or biometric data.

The bill would require companies generally to maintain reasonable security procedures and practices for storing and properly disposing of PII. As such, the bill brings New Mexico in line with those states that have legislated both general data protection obligations as well as a breach notification obligation.

The bill would permit the New Mexico attorney general to impose civil penalties for knowing or reckless violations of the law in an amount of the greater of $25,000, or $10 per instance of failed notification up to $150,000.

Despite legislative efforts, there is no single federal breach notification law. Companies are subject to the laws of 47—and now potentially 48—states, and D.C., Guam, Puerto Rico, and the Virgin Islands. Expanding definitions of PII, encryption safe harbor modifications, and other developing issues across existing state data protection and breach notification laws bear careful scrutiny.